Data Harvest

The Scapy packet manipulation program lets you analyze and manipulate packets to create incident response reports or examine network security.

Most folks have pulled up Wireshark a time or two to troubleshoot an application or system problem. During forensics, packet captures (PCAPs) are essential. Often you are looking at things like top talkers, ports, bytes, DNS lookups, and so on. Why not automate this process with Python?

Scapy [1] is a great tool suite for packet analysis and manipulation. It is most often talked about in the realm of packet manipulation, but its ability to analyze packets is also top-notch.

Make Ready

First, you need to make sure you have Python 3 installed along with the following packages:

sudo pip3 install scapy scapy_http plotly PrettyTable

To get started, you will want a PCAP to analyze. To capture 1,000 packets and save them to the file example.pcap, enter:

Scapy can handle all parts of the OSI model except Layer 1 (Figure 1). Listing 1 shows the Hello World! of packet reading. To begin, you need to read a raw packet (line 5), see if it has the layer your want (line 9), and then act on it. Because you are using Python, if you try to print out pkt[IP].src when no IP is present, Python will throw an error, so you need to wrap it in a try/except (lines 10-13).

Sorting

If you ran the code in Listing 1 with your example.pcap file of 1,000 packets, your terminal printed ~1,000 lines, which is obviously not very useful. To improve, you can read all the IPs, append them to a list, then run a counter, and print the results using the PrettyTable module (Listing 2). As before, you import Scapy, but now you will also import the collection module and PrettyTable (Step 1). Next, add an empty list, and append (Step 2). Now you can use the counter to loop through the list of IPs and create a count (Step 3); finally, using the PrettyTable module, you print out the results in a clean table (Step 4).

Visualize

Now that you know how to read packets and do some counting, you can use the Plotly package to make graphs by building on the last example (Listing 3). First, you have to add the plotly import to Step 1 (line 1); then, after going through Steps 2 and 3 as before, you replace Step 4 in the previous example of Listing 2 with new code that creates two new lists to hold x and y data (Listing 3, lines 4-5) and loops through the IPs again, adding them to the lists (lines 7-9).

By default, Plotly uses its web UI to create charts, but if, like me, you use this data in a incident response situation, you do not want to share that data with a cloud system. Therefore, I use the offline version to plot my data in a new Step 5. When run, it will open your default web browser (Figure 2).